Chat / Contact

Latest News from 100TB

Configuring SSL/TLS For Postfix

Most internet technologies are inherently insecure. For example, transmitting your data and even login credentials between your computer and servers in plain text can be compromising. This is because most of the technologies were designed before the internet even existed. They were used on smaller independent networks where both the network and the systems could be trusted by other users. Secure Sockets Layer (SSL) came about as an attempt to provide a mechanism for securing network communications between an application and a server that could be used by existing applications without them needing to handle their own encryption and security systems. But the question is, how can SSL help you?

What is an SSL?

Originally developed at Netscape, the technology’s descendent Transport Layer Security (TLS) is in common use today. Many people now refer to it as SSL, especially as many SSL libraries such as OpenSSL and LibreSSL carry out the TLS functions.Most people are familiar with using SSL with web servers and configuring HTTPS for secure connections. Many applications can use SSL to encrypt their connections, and email systems are no different.

This time we’ll look at how we can secure your Postfix mail server using SSL.

Take note that from this point forward we will be assuming that you are configuring on a dedicated server or VPS that is already Postfix configured and working.

You will need to get OpenSSL installing on the server before you can proceed. This can easily be done by using the commands below. For Debian/Ubuntu systems, use the following commands: sudo apt-get update sudo apt-get install opensslFor CentOS/RedHat users, you can use this command: sudo yum install opensslFirst, you will need an SSL Certificate. If you already have an SSL installed on the server’s hostname (i.e. server.example.com), this can be utilized for Postfix mail server secure connections. Just make sure you configure your mail client to connect to the server’s hostname and no further certificates are required.

If you are using a different domain name (i.e. www.example.com for the website and mail.example.com for the mail server), then you’ll need to generate a new certificate.

Note that in the line above, change “mail.example.com” to be the domain you have configured for your mail server.

The name doesn’t need to be identical, but it helps you keep track of your certificates by matching the domain that the certificates are for.

Once this task is done, you can then apply for an SSL certificate with your chosen provider. And once you have retrieved your certificate, you can save it in the same directory on the server.

From here we’ll assume you’ve saved your certificate with the same name, so mail.example.com.crt. Also put any intermediate certificate files that came with your bundle in that directory.Next we need to configure Postfix to use this SSL certificate.

This is done by editing the /etc/postfix/main.cf file and setting the TLS parameters. In the standard main.cf file that comes with Debian/Ubuntu this section already exists and will need adjusting to match the below.